Systems and methods for securing computers

ABSTRACT

Systems and methods are disclosed for avoiding electronic mail (email) attacks on a computer by downloading one or more emails in virtual-copy format to prevent the one or more emails from executing; determining whether a potentially infected email is in the one or more emails; and displaying the potentially infected email to a user and providing a user interface to allow the user to select and delete the infected email prior to downloading emails to the user&#39;s computer.

This application is a reissue application of U.S. Pat. No. 7,831,672,issued Nov. 9, 2010, which is a continuation of application Ser. No.09/972,596 filed Oct. 5, 2001, the contents of which is incorporated byreference.

COPYRIGHT RIGHTS

A portion of the disclosure of this patent document contains materialthat is subject to copyright protection. The copyright owner has noobjection to the facsimile reproduction by anyone of the patent documentor the patent disclosure, as it appears in the Patent and TrademarkOffice patent files or records, but otherwise reserves all copyrightrights whatsoever.

BACKGROUND

The present invention relates to systems and methods for protecting acomputer against a virus or a worm.

With the widespread use of computers and computer networks such as theInternet, computer viruses have become problematic to computers andcomputer users. Such viruses are typically found within computerprograms, files, or code and can produce unintended and sometimesdamaging results. These viruses can be transmitted by disk, electronicmail (e-mail), radio wave, light wave, or other computer readable media.For example, emails transmit electronic messages from one computer toanother. These messages may be simple text messages or more complexmessages containing documents and data of various types. Thetransmission of e-mail messages may range from transmission over a shortdistance, such as over a local area network between employees inadjoining offices, to transmission over extremely long distances, suchas over the global Internet between users on different continents. Theglobal nature of emails makes them easy carriers for viruses.

One type of virus produces copies of it in other programs, allows theprograms to perform their regular operations, and surreptitiouslyperforms other, unintended actions. Other types of viruses include,without limitation, the following: worms, logic bombs, time bombs,trojan horses, and any malicious program or code residing in executableprograms, macros, applets, or elsewhere. While advances have been madein the detection of viruses, the proliferation of computers and theincreasing interconnection of, and communication between, computers havealso increased the opportunities for the spread of existing viruses andthe development of new computer viruses. Thus, the number and type ofviruses to which a computer or computer system is potentially exposed isever changing. This is one reason that the information used to detectviruses requires seemingly constant revision and augmentation in orderto detect the various strains of viruses. For example, a virulent virusthat first appeared in September 2001 is Nimda (a.k.a. W32/Nimda@MM orCode Rainbow), a worm that attacks Microsoft Windows systems. Nimdaattacks a variety of both server and client vulnerabilities and even theback doors left by Code Red II. Nimda can attack via email. It uses theInternet Explorer exploit mentioned in MS01-020 to cause Outlook toautomatically execute the worm on a users system. Nimda can attack viaweb browser. If a user visits an infected web server and does not havepatch MS01-020 applied their machine can be infected. Nimda can attackusing holes opened by previous worms. Code Red II opened a variety ofholes in system, presumably for use by nefarious individuals to controlthe target machine. Nimda looks for these holes. If they are present ituses them to install itself on the machines in question. Web servers areattacked using a wide variety of previously known and patched holes. IfNimda detects the presence of file shares on a remote machine and it hasaccess rights it will infect the machine through those shared files.

As another example, Melissa is a computer virus launched when a useropens an infected Microsoft Word 8 or Word 9 document contained inMicrosoft's Office suite of software products. The virus promptsMicrosoft's Outlook e-mail program to send an infected document toaddresses in a victim's Microsoft Outlook address book. The e-mail canappear to be from a boss, co-worker, or friend. Even if the user doesn'tuse Outlook, the virus can infiltrate the default Word document template“Normal.dot” and send the virus to anyone receiving their Worddocuments. The virus also attacks the registry for Word and changessecurity settings that prevent the Word macro warning from appearing.The original virus is sent via e-mail with the subject line “ImportantMessage From . . . ” and then automatically fills in the user's name.The text inside the message reads “Here is the document that you askedfor. Don't show anyone else ;-).” The message includes an attacheddocument of pornographic Web sites called “list-.doc.”

There are various methods for detecting viruses. One method of detectionis to compare known virus signatures to targeted files to determinewhether the targeted files include a virus signature and, thus, thecorresponding virus. The comparison data used for virus detection mightinclude a set of such known virus signatures and, possibly, additionaldata for virus detection. Typically, the comparison data is maintainedin a computer storage medium for access and use in the detection ofviruses. For example, for a personal computer the comparison data mightbe stored on the computer's hard disk. Periodically, comparison dataupdates are provided to detect new or different forms of viruses. Thecomparison data updates are typically provided on some source storagemedium for transfer to the storage medium used to maintain thecomparison data. For example, an update might be provided on a floppydisk so that a personal computer user can transfer the comparison dataupdate from the floppy disk to the computer hard disk to complete theupdate.

The comparison data is essentially discrete and static. That is, all ofthe information used for the detection of viruses generally remainsconstant unless it is updated or altered by the user or other relevantparty or action. This can be problematic because the quality ofinformation used to detect viruses is reliant upon some form ofcomparison data maintenance. Another problem with updatable comparisondata is that the comparison data can quickly lose its efficacy due tothe existence of new and different viruses. Thus, while a periodicupdate might seem effective, there is no telling how many new anddifferent viruses could be produced in the interim. Still anotherproblem with comparison data updates is that a transfer of an entirereplacement set of data, or at least a transfer of all the new virusdetection data, is typically undertaken in order to complete the update.Whether an entire replacement or all of the new virus detection data isinvolved, a significant amount of data must be transferred for theupdate. More specifically, if a user updates her virus detectioninformation using, for example, an update provided on a floppy disk, atleast all of the new virus detection information is transferred from thefloppy disk to the appropriate medium.

Regardless of the update source, the problems of updatable comparisondata remain. Specifically, the user, administrator, or other relevantparty is still typically responsible for accessing and updating thecomparison data, the comparison data can quickly and unpredictably loseits efficacy, and a significant amount of data must be transferred fromthe source to the storage medium used for the comparison data. Indeed,the amount of data to be transferred may be more problematic whereinternet resources are the source of the comparison data update since asignificant amount of computational resources would be used to completethe update.

Another problem in the detection of viruses is that conditions vary fromcomputer to computer. Thus, a first computer or medium could require afirst type of scanning while another computer or medium, even one in thesame network as the first, could require a second type of scanning. Inthese instances, virus scans can be overinclusive in that the scanningfor viruses that could not possibly reside at the computer, and can beunderinclusive if an exhaustive scan for the types of viruses likely toreside at the computer, based upon the conditions presented at thecomputer, is not undertaken. To adequately perform a virus scanaccording to the conditions particular to a computer, a user or otherrelevant party typically must configure the scan. This can beproblematic because of reliance upon party input. Additionally, theconditions pertaining to a particular computer and the requisite type ofscanning can change.

With the increasing interconnection and communication between computers,the requirements for maintaining computers residing on a computernetwork have also increased. Again, maintenance is typically undertakendirectly by a person, such as the network administrator, using resourceswhich are locally available to the network administrator. For example,in the treatment of computers on a local area network for viruses, anadministrator could commonly configure the computers to access locallyavailable virus scanning resources. This maintenance scheme isproblematic in its reliance upon updates, its failure to adapt tochanging conditions, and its failure to make adequate use of resourcesexternal to the local area network. Today, popular operating systems andsoftware such as the Microsoft system and application is tied intocompany network and the Internet. Since many features and automation arebuilt in the system, when a virus infected email is received byMicrosoft's Outlook application, the virus can leverage windows systemresource to attack. The virus abuse user's system and Outlook addressbook to spread itself and to impact other system connected to theInternet. The global nature of the Internet means that one virus emailcan create a large amount of network traffic that jams the server thatthe user connects to as well as the Internet. Such virus can bedestructive and can cause lost business due to computer downtime.

SUMMARY

In one aspect, a method for avoiding electronic mail (email) attacks ona computer includes downloading one or more email s in virtual-copyformat to prevent the one or more emails from executing; determiningwhether an infected email is in the downloaded one or more emails; anddisposing of the infected email.

Implementations of the above aspect may include one or more of thefollowing. The method allows non-infected emails to be accessed. Themethod includes downloading non-infected emails to an email softwaresuch as Microsoft Outlook. The method includes parsing the downloadedvirtual-copy format emails to determine whether the emails are secure.Potentially infected emails are determined based on one or more of thefollowing: an email from field, an email to field, and an email subjectfield. The method includes applying a security policy that specifiescharacteristics of potentially infected emails. The method includesremoving one or more potentially infected emails based on the securitypolicy. The system can display a summary for each email.

In another aspect, a system for avoiding electronic mail (email) attackson a computer includes means for downloading one or more emails invirtual-copy format to prevent the one or more emails from executing;means for determining whether an infected email is in the downloaded oneor more emails; and means for disposing of the infected email.

Advantages of the above systems and methods may include one or more ofthe following. The system uses a proactive approach to captureinformation from a copy of a user's emails. A Smart-Diagnosis engineanalyzes the emails and indicates potentially infected email(s) for theuser. Then user can manually remove those email and kill the virusesbefore they infect the user's computer. The system allows the user tosubscribe to a predetermined security policy. The system allows the userto view emails before they come into user system. A smart user interfaceis provided to indicate potentially-infected emails. The user interfaceshows email attachment full file name, email size. The user interfacealso provides a history log file view. The user can review a historicalemail log file and can delete the email log file view as well as reviewthe deleted email log file. Further, the user can schedule the system torun and perform Smart-Diagnosis.

Other advantages may include one or more of the following. The systemco-exists with any other email application such as Microsoft Outlook.The user can screen emails, can remove email, and read emails in asecure manner. The user can use his or her favorite email application tosafely read emails and associated attachments. Since the virus or wormdoes not get through, the virus or worm cannot propagate itself byaccessing the user's address book in Outlook and sending copies ofitself to each entry in the address book.

The system allows a user to relate all of the steps in avoiding virusinfections and to save all of the information regarding each of thevarious steps in one convenient and easily accessible location. Thesystem is also efficient and low in operating cost. It also is highlyresponsive to user demands.

Other advantages and features will become apparent from the followingdescription, including the drawings and claims.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows an exemplary process that alerts users to potentiallydangerous emails before they download the emails into their emailsoftware.

FIG. 2 shows an exemplary process to detect and delete emailspotentially infected with a virus or a worm.

FIG. 3 shows the system of FIGS. 1-2 in a network.

FIGS. 4-5 show various exemplary user interfaces for the anti-virussystem of FIG. 1.

DESCRIPTION

Referring now to the drawings in greater detail, there is illustratedtherein structure diagrams for a virus avoidance system and logic flowdiagrams for the processes a computer system will utilize to completevarious anti-virus transactions. It will be understood that the programis run on a computer that is capable of communication with consumers viaa network, as will be more readily understood from a study of thediagrams.

Referring now to FIG. 1, an exemplary process 10 alerts users topotentially dangerous emails before they download the emails into theiremail software. First, the user previews his or her emails (step 12).The process 10 applies one or more rules to identify potentiallydangerous emails and highlights them for the user to decide (step 14).The user can keep the email or delete the email (step 16). Uponreviewing the batch of emails, the user can download the emails to hisor her email software. The purpose of the process 10 is not to detect orrepair specific viruses, but to alert users to the fact that they areopening emails that could contain viruses or worms and to allow uses todelete questionable emails.

Referring now to FIG. 2, an exemplary process 200 to detect and deleteemails potentially infected with a virus or a worm. E-mail is popularbecause it is a quick, convenient, and easy way to exchange informationand communicate with others. E-mail offers numerous advantages overother forms of communication. For example, e-mail is less intrusive thana telephone call because the recipient of an e-mail message may waituntil a convenient time to retrieve and respond to the message ratherthan being immediately interrupted. Another advantage of e-mail is theability to communicate with large groups of people by sending a singlee-mail message to multiple recipients. Still another advantage of e-mailis the ability of attaching documents in electronic format to an e-mailmessage. Viruses and worms typically disguise themselves in the form ofexecutables or programmable macros embedded in the emails.

The process 200 allows a user to preview incoming emails and enables theuser to delete potentially dangerous emails. The process 200 can be runautomatically (step 202) or can run upon command. The process 200determines whether the user has set-up one or more email accounts (step204). If no, the user is prompted to set-up one or more email accountsand these accounts can be tested to ensure that they are properly set up(step 206). Typically, the email accounts are specified by providing theuser's email address and the transmit/receive addresses for a mailserver maintained by the user's Internet Service Provider (ISP).

From step 204, if one or more email accounts are available, the process200 retrieves (downloads) emails from the mail server in a virtual-copyformat (step 210). The virtual-copy format allows the downloaded contentto be safely analyzed in that virtual-copy format data cannot beexecuted.

Next, each email is parsed (step 212). The process 200 then checkswhether the user has subscribed to a security policy that specifieswhether the user wants the process 200 to automatically remove emailsfitting specific criteria indicative of a virus or a worm embeddedtherein (step 214). If no security policy has been specified, theprocess 200 diagnoses emails attachment for other hints of viruses orworms based on the attachment type and the emails' fields such as theFrom field, the To field, and the Subject field, among others (step216).

From step 214, if the security policy has been specified, the process200 removes email(s) with potentially infected viruses or worms (step220) and records the removal into a log (step 222).

From steps 216 or 222, the process 200 displays brief information foreach email and highlights potential emails that contain worms or viruses(step 224). The user can select one or more emails and execute a Deleteoperation (step 226). Based on the user's instructions, the process 200accesses the user's mail server and removes the selected emails storedin the user's account at the mail server hosted by the user's ISP (step228). Next, the process 200 launches the user's default email softwareto retrieve the safe emails (step 230).

A Smart-Diagnosis engine analyzes the emails and indicates potentiallyinfected email(s) for the user. The engine can be an “expert system” oran intelligent computer program that uses knowledge and inferenceprocedures to solve problems such as virus detection. An expert systemincludes a knowledge base of domain facts and heuristics associated withthe problem. The facts constitute a body of information that is widelyshared, publicly available, and generally agreed upon by experts in afield. The “heuristics” are mostly private, little-discussed rules andstrategies of good judgment, plausible reasoning, and good guessing thatcharacterize expert-level decision-making and drastically limit searchin large problem spaces. This knowledge is used by the system inreasoning about the problem. The expert system also includes a controlstructure for symbolically processing and utilizing the informationstored in the knowledge base to solve the problem. This controlstructure is also commonly referred to as the inference engine. A globaldata base serves as a working memory to keep track of the problemstatus, input data, and relevant facts and history of the solutionprogression in detecting and removing harmful viruses and worms. Thesystem also includes an explanation systems to allow the user tochallenge and examine the reasoning process underlying the system'sanswers. This includes a user friendly interface to facilitate userinteraction with the system. The expert system also includes a knowledgeacquisition system to facilitate the addition of new knowledge onviruses and worms into the system. Knowledge acquisition is an ongoingprocess, thus the knowledge must evolve over time through severaliterations of trial and error. This interactive transfer of expertisefrom a human expert to the expert system is required in order to achievean operationally acceptable level of performance. Although expert systemis discussed, the Smart Diagnosis engine can also be a neural network, afuzzy logic or a statistical based learning system.

In one embodiment, the email software is Microsoft's Outlook software,published by Microsoft Corporation of Redmond, Wash. The Outlook clientapplication is divided into several modules, including a calendarmanager, a task list manager, a contact manager, a message manager(e-mail), and a notes manager. All folders (containers) contain objects,or items such as e-mail items, appointment items, task items, addressitems, etc. Items have a set of fields and a behavior associated withthem. For example, an e-mail item has To, From, CC, Subject, date andtime fields among others. The behavior of e-mail items includesknowledge of what it means to Forward or Reply/Reply All. A user storesinformation in the form of items. Items, in turn, reside in folders. Amessage is a collection of properties. Items are composed of fields. Forexample, the “subject” in an e-mail note would be a field called“subject” in the e-mail item. In the Outlook program, every item isinitially created from a template. A template is the “mold” from whichnew items are made and as such describes the fields and the item—thedata types, default values, formatting rules, etc. For example, therewould be a default template for each kind of item listed above:appointments, to-do items, notes, e-mail messages, among others. Foradditional information regarding Outlook program, the reader may referto the documentation that is distributed with the Outlook program.

Pseudo-code for the process 200 is shown below:

 Step 1.0  IF user Pop3 mail server information is available THEN   Runmain application  ELSE   Run “Setup E-mail account and testing” propertypage   IF user fill in Pop3 mail server address, usemame and passwordTHEN    Recommend user press “test” button to test POP3 E-mail account   and if so:     Issue win socket command     Interpret receiving rawdata from POP3 mail server     Send back user information and password    Check receiving data     IF no error found THEN      Finish test andshow message to user      Close win socket     ELSE      Display errormessage and remind user try again     END IF   ELSE    Warn user tocomplete test, otherwise emails may not be retrieved    IF user's pop3information not available THEN     Disable certain functions to protectitself    END IF   END IF  END IF  STEP 1.1   IF user subscribeautomatic check in certain interval time THEN    Use user's POP3information and run whole process,    Include automatic     Retrieveuser's email     Parse E-mail     Diagnoses email component, such as To,From, Subject,      Attachment, Mail body     Check user subscribesecurity policy     Display all the email data with intelligent formatto help      user do the final scan     Repeat step 2, 3 and 4   END IF STEP 2   IF user finish test POP3 email account THEN    Retrieve emailby POP3 protocol in raw format    Save incoming received data to filestream and temporary store in     user machine    Store all the emaildata in virtual-copy format for safe accounting   in     “Diagnoses”  END IF  STEP 3   IF retrieve email successful THEN    Parse E-mailvirtual-copy format data    Exact E-mail header like To, From, Subject,Cc, Bcc, Attachment   and Body text    Diagnose To, From and Subjectdata to detect virus pattern or   behave    Diagnose Attachment file todetect any potential auto run pattem   or behave  IF user subscribesecurity policy THEN   Execute security check and automatic “Remove”those campaign email  which fit in check condition   Write the log filefor user reference  END IF   END IF  STEP 4   IF no error from parseemail THEN    According parse result, display different level of warningsuch as    virus icon, attachment icon and red background color toindicate    suspicious emails   END IF  STEP 5   User can  a. Removesuspicious email  b. Remove junk email as well  c. Remove unknown “From”email  d. Remove mail which its To or Cc contain email address andsimilar name email address  e. Capture email information to log file STEP 6  User can launch Outlook or other email application to read,send and  manage their email  Property page 1   User can setup theirPOP3 account and test their email account here.  Property page 2   Usercan subscribe security policy here,   Include  Mail address filterfunction - domain name check in “From” field  Text filter function -filter specific text show up in To, From, Subject  or E-mail Body text IF user select “automatic” remove THEN   Each time email retrieval isdone, a security policy operation is executed   to remove candidate“dangerous” emails from user email account in ISP   POP3 server.  END IF Property page 3   User can setup schedule to run automatically Property page 4   User can setup log file recording option.  Option 1 -automatic capture email information to log file after  execute retrieveemail operation  Option 2 - user clicks toolbar button to capture emailinformation

FIG. 3 shows an environment for electronically generating documents,including legal documents. A server 100 is connected to a network 102such as the Internet. One or more client workstations 104-106 are alsoconnected to the network 102. The client workstations 104-106 can bepersonal computers, thin clients, or workstations running browsers suchas Netscape or Internet Explorer. With the browser, a client or user canaccess the server 100's Web site by clicking in the browser's Addressbox, and typing the address (for example, www.mailrancher.com), thenpress Enter. When the page has finished loading, the status bar at thebottom of the window is updated. The browser also provides variousbuttons that allow the client or user to traverse the Internet or toperform other browsing functions.

An Internet community 110 with one or more service providers,manufacturers, or marketers is connected to the network 102 and cancommunicate directly with users of the client workstations 104-106 orindirectly through the server 100. The Internet community 110 providesthe client workstations 104-106 with access to a network of anti-virusspecialists. For example, members of the Internet community 110 caninclude consultants who can help the user in recovering from aninfection.

Although the server 100 can be an individual server, the server 100 canalso be a cluster of redundant servers. Such a cluster can provideautomatic data failover, protecting against both hardware and softwarefaults. In this environment, a plurality of servers provides resourcesindependent of each other until one of the servers fails. Each servercan continuously monitor other servers. When one of the servers isunable to respond, the failover process begins. The surviving serveracquires the shared drives and volumes of the failed server and mountsthe volumes contained on the shared drives. Applications that use theshared drives can also be started on the surviving server after thefailover. As soon as the failed server is booted up and thecommunication between servers indicates that the server is ready to ownits shared drives, the servers automatically start the recovery process.Additionally, a cluster of servers or server farm can be used. Networkrequests and server load conditions can be tracked in real time by theserver farm controller, and the request can be distributed across thefarm of servers to optimize responsiveness and system capacity. Whennecessary, the farm can automatically and transparently place additionalserver capacity in service as traffic load increases.

The server 100 can also be protected by a firewall. When the firewallreceives a network packet from the network 102, it determines whetherthe transmission is authorized. If so, the firewall examines the headerwithin the packet to determine what encryption algorithm was used toencrypt the packet. Using this algorithm and a secret key, the firewalldecrypts the data and addresses of the source and destination firewallsand sends the data to the server 100. If both the source and destinationare firewalls, the only addresses visible (i.e., unencrypted) on thenetwork are those of the firewall. The addresses of computers on theinternal networks, and, hence, the internal network topology, arehidden. This is called “virtual private networking” (VPN).

The server 100 supports a document generating portal that provides asingle point of integration, access, and navigation through the multipleenterprise systems and information sources facing knowledge usersoperating the client workstations 104-106. The portal can additionallysupport services that are transaction driven. Once such service isadvertising: each time the user accesses the portal, the clientworkstation 104 or 106 downloads information from the server 100. Theinformation can contain commercial messages/links or can containdownloadable software. Based on data collected on users, advertisers mayselectively broadcast messages to users. Messages can be sent throughbanner advertisements, which are images displayed in a window of theportal. A user can click on the image and be routed to an advertiser'sWebsite. Advertisers pay for the number of advertisements displayed, thenumber of times users click on advertisements, or based on othercriteria. Alternatively, the portal supports sponsorship programs, whichinvolve providing an advertiser the right to be displayed on the face ofthe port or on a drop down menu for a specified period of time, usuallyone year or less. The portal also supports performance-basedarrangements whose payments are dependent on the success of anadvertising campaign, which may be measured by the number of times usersvisit a Web-site, purchase products or register for services. The portalcan refer users to advertisers' Websites when they log on to the portal.

Additionally, the portal offers contents and forums providing focusedarticles, valuable insights, questions and answers, and value-addedinformation about anti-virus operations. Other services can be supportedas well. For example, a user can rent space on the server to enablehim/her to download application software (applets) and/or data—anytimeand anywhere. By off-loading the storage on the server, the userminimizes the memory required on the client workstation 104-106, thusenabling complex operations to run on minimal computers such as handheldcomputers and yet still ensures that he/she can access the applicationand related information anywhere anytime. Another service is On-lineSoftware Distribution/Rental Service. The portal can distribute itssoftware and other software companies from its server. Additionally, theportal can rent the software so that the user pays only for the actualusage of the software. After each use, the application is erased andwill be reloaded when next needed, after paying another transactionusage fee.

FIG. 4 shows an exemplary user interface displaying the status of a mailreceiving process. In this example, twelve emails have been received andstored in the user's incoming mail server. The exemplary interface showsthat the user's email account has successfully logged-in and the emailsare downloaded in a last-in-first-out order. The emails are downloadedin their virtual-copy format data so that they cannot self-executed.Using the system, the user previews the received emails and deletessuspicious emails before the emails are actually downloaded into anemail software such as Outlook.

FIG. 5 shows an exemplary user interface for an exemplary email previewoperation. In this example, the twelve emails have been downloaded. Aclip is shown for each email with an attachment. Moreover, a warningflag is generated for each suspicious email for the user to decidewhether that particular email should be deleted beforehand. A checkboxexists for each email so that the user can check off each email thatneeds to be deleted. Further, an email number ID, the email address ofthe sender, and email address(es) for all recipients are shown. Thesender and recipient information can be helpful in that the user candetermine whether the source is suspect. In many cases where the senderis familiar to the user (such as in the case of a virus that accessedthe prior victim's address book), the list of recipient can be helpful.For example, a long list of recipients can signify a virus attack. Basedon the information provided in the user interface, the user caneffectively manage his or her emails to minimize if not avoid virusinfections.

The invention has been described herein in considerable detail in orderto comply with the patent Statutes and to provide those skilled in theart with the information needed to apply the novel principles and toconstruct and use such specialized components as are required. However,it is to be understood that the invention can be carried out byspecifically different equipment and devices, and that variousmodifications, both as to the equipment details and operatingprocedures, can be accomplished without departing from the scope of theinvention itself.

What is claimed is:
 1. A method for avoiding electronic mail (email)attacks on a computer, comprising: downloading to a first emailapplication running on the computer one or more emails in virtual-copyformat to prevent the one or more emails from executing; determining bythe first email application whether a potentially infected email is inthe one or more emails; and displaying the potentially infected email toa user and providing a user interface to allow the user to select anddelete the infected email using the first email application prior todownloading emails to a second email application running on the user'scomputer.
 2. The method of claim 1, further comprising allowingnon-infected emails to be accessed.
 3. The method of claim 1, furthercomprising downloading non-infected emails to an email software saidsecond email application.
 4. The method of claim 3, wherein the emailsoftware is Microsoft Outlook.
 5. The method of claim 1, furthercomprising parsing the downloaded virtual-copy format emails todetermine whether the emails are secure.
 6. The method of claim 1,wherein potentially infected emails are determined based on one or moreof the following: an email from field, an email to field, and an emailsubject field.
 7. The method of claim 1, further comprising determiningwhether a security policy exists.
 8. The method of claim 7, wherein thesecurity policy specifies characteristics of potentially infectedemails.
 9. The method of claim 7, further comprising removing one ormore potentially infected emails based on the security policy.
 10. Themethod of claim 1, further comprising displaying a summary for eachemail.
 11. A system for avoiding electronic mail (email) attacks on acomputer, comprising: a processor; a memory coupled to the processor,the memory comprising computer program instructions executable by theprocessor comprising: meansinstructions for downloading to a first emailapplication running on the computer one or more emails in virtual-copyformat prevent the one or more emails from executing; meansinstructionsfor determining by the first email application whether a potentiallyinfected email is in the one or more emails; and meansinstructions fordisplaying the potentially infected email to a user and providing a userinterface to allow the user to select and delete the infected emailusing the first email application prior to downloading emails to asecond email application running on the user's computer.
 12. The systemof claim 11, further comprising means instructions for allowingnon-infected emails to be accessed.
 13. The system of claim 11, furthercomprising means instructions for downloading non-infected emails to anemail software said second email application.
 14. The system of claim13, wherein the email software is Microsoft Outlook.
 15. The system ofclaim 11, further comprising means instructions for parsing thedownloaded virtual-copy format emails to determine whether the emailsare secure.
 16. The system of claim 11, wherein potentially infectedemails are determined based on one or more of the following: an emailfrom field, an email to field, and an email subject field.
 17. Thesystem of claim 11, further comprising means instructions fordetermining whether a security policy exists.
 18. The system of claim17, wherein the security policy specifies characteristics of potentiallyinfected emails.
 19. The system of claim 17, further comprising meansinstructions for removing one or more potentially infected emails basedon the security policy.
 20. The system of claim 11, further comprisingcode instructions to: retrieve emails in raw format and store emails inthe virtual-copy format; extract e-mail headers including To, From,Subject, Cc, Bcc, Attachment and Body text; diagnose the headers To,From and Subject data to detect a virus pattern or behavior; anddiagnose an attachment file to detect any potential auto run pattern orbehavior.
 21. A computer program embodied on a non-transitory computerreadable medium, the program including code for avoiding electronic mail(email) attacks on a computer, comprising: code for downloading to afirst email application running on the computer one or more emails invirtual-copy format to prevent the one or more emails from executing;code for determining by the first email application whether apotentially infected email is in the one or more emails; and code fordisplaying the potentially infected email to a user and providing a userinterface to allow the user to select and delete the infected emailusing the first email application prior to downloading emails to asecond email application running on the user's computer.
 22. Thecomputer program of claim 21, further comprising code for allowingnon-infected emails to be accessed via the second email application. 23.The computer program of claim 21, wherein the code for determining isconfigured to parse a downloaded virtual-copy format email to determinewhether the corresponding email is secure.
 24. The computer program ofclaim 21, wherein the code for determining determines potentiallyinfected emails based on one or more of the following: an email fromfield, an email to field, and an email subject field.
 25. A programmedcomputer, comprising electronic computer hardware operating incombination with software to avoid electronic mail (email) attacks on acomputer, the programmed computer being configured to execute aplurality of steps, the steps comprising: downloading to a first emailapplication running on the computer one or more emails in virtual-copyformat to prevent the one or more emails from executing; determining bythe first email application whether a potentially infected email is inthe one or more emails; and displaying the potentially infected email toa user and providing a user interface to allow the user to select anddelete the infected email using the first email application prior todownloading emails to a second email application running on the user'scomputer.
 26. The programmed computer of claim 25, further comprisingthe computer being configured to allow non-infected emails to beaccessed via the second email application.
 27. The programmed computerof claim 25, wherein computer is configured to perform the determiningby parsing a downloaded virtual-copy format email to determine whetherthe corresponding email is secure.
 28. The programmed computer of claim25, wherein computer is configured to determine potentially infectedemails based on one or more of the following: an email from field, anemail to field, and an email subject field.
 29. A computer programembodied on a non-transitory computer readable medium, the programincluding code for avoiding electronic mail (email) attacks on acomputer, comprising: code for downloading to, a first email programresident on the computer, one or more emails in non-executable format;code for determining, by a second email program, whether a potentiallyinfected email is in the one or more emails; and code for displaying thepotentially infected email to a user and providing a user interface toallow the user to select and delete the infected email using a thirdemail program prior to downloading entails to a fourth email programresident on the user's computer.
 30. The computer program of claim 29,wherein the first and third email programs are part of the same emailapplication.
 31. The computer program of claim 29, wherein the secondand third email programs are part of the same email application.
 32. Thecomputer program of claim 29, wherein non-infected emails in executableformat are accessible via the fourth email program.
 33. The computerprogram of claim 29, wherein the code for determining is configured toparse a non-executable format email to determine whether thecorresponding email is secure.